GnuTLS: Move to more-modern stapling API
authorJeremy Harris <jgh146exb@wizmail.org>
Tue, 27 Aug 2019 16:24:23 +0000 (17:24 +0100)
committerJeremy Harris <jgh146exb@wizmail.org>
Fri, 20 Sep 2019 13:30:21 +0000 (14:30 +0100)
14 files changed:
doc/doc-docbook/spec.xfpt
src/src/tls-gnu.c
src/src/tls-openssl.c
test/confs/5651
test/confs/5653 [new file with mode: 0644]
test/confs/5730
test/log/5650
test/log/5652
test/log/5653 [new file with mode: 0644]
test/log/5890
test/scripts/5650-OCSP-GnuTLS/5650
test/scripts/5650-OCSP-GnuTLS/5652
test/scripts/5650-OCSP-GnuTLS/5653 [new file with mode: 0644]
test/stdout/5650

index f7e930c..e4dfb98 100644 (file)
@@ -17820,6 +17820,7 @@ For GnuTLS 3.5.6 or later the expanded value of this option can be a list
 of files, to match a list given for the &%tls_certificate%& option.
 The ordering of the two lists must match.
 
+The file(s) should be in DER format
 
 .option tls_on_connect_ports main "string list" unset
 .cindex SSMTP
index bbc75b6..a45dd65 100644 (file)
@@ -225,6 +225,7 @@ static BOOL exim_gnutls_base_init_done = FALSE;
 
 #ifndef DISABLE_OCSP
 static BOOL gnutls_buggy_ocsp = FALSE;
+static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
 #endif
 
 #ifdef EXPERIMENTAL_TLS_RESUME
@@ -287,11 +288,16 @@ static void exim_gnutls_logger_cb(int level, const char *message);
 
 static int exim_sni_handling_cb(gnutls_session_t session);
 
-#ifndef DISABLE_OCSP
+#if !defined(DISABLE_OCSP)
 static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
   gnutls_datum_t * ocsp_response);
 #endif
 
+#ifdef EXPERIMENTAL_TLS_RESUME
+static int
+tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
+  unsigned incoming, const gnutls_datum_t * msg);
+#endif
 
 
 /* Daemon one-time initialisation */
@@ -858,6 +864,9 @@ static int
 tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
   uschar * certfile, uschar * keyfile, uschar ** errstr)
 {
+/*XXX returns certs index for gnutls_certificate_set_x509_key_file(),
+given suitable flags set */
+
 int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
     CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
 if (rc < 0)
@@ -868,6 +877,78 @@ return -rc;
 }
 
 
+/* Make a note that we saw a status-request */
+static int
+tls_server_clienthello_ext(void * ctx, unsigned tls_id,
+  const unsigned char *data, unsigned size)
+{
+/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
+if (tls_id == 5)       /* status_request */
+  {
+  DEBUG(D_tls) debug_printf("Seen status_request extension\n");
+  tls_in.ocsp = OCSP_NOT_RESP;
+  }
+return 0;
+}
+
+/* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
+static int
+tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
+  unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
+{
+/* Call fn for each extension seen.  3.6.3 onwards */
+return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
+                          GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
+}
+
+/* Callback for certificate-status, on server. We sent stapled OCSP. */
+static int
+tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
+  unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
+{
+DEBUG(D_tls) debug_printf("Sending certificate-status\n");
+#ifdef SUPPORT_SRV_OCSP_STACK
+tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
+  ? OCSP_VFY_NOT_TRIED : OCSP_VFIED;   /* We know that GnuTLS verifies responses */
+#else
+tls_in.ocsp = OCSP_VFY_NOT_TRIED;
+#endif
+return 0;
+}
+
+/* Callback for handshake messages, on server */
+static int
+tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
+  unsigned incoming, const gnutls_datum_t * msg)
+{
+switch (htype)
+  {
+  case GNUTLS_HANDSHAKE_CLIENT_HELLO:
+    return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
+  case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
+    return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
+#ifdef EXPERIMENTAL_TLS_RESUME
+  case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
+    return tls_server_ticket_cb(sess, htype, when, incoming, msg);
+#endif
+  default:
+    return 0;
+  }
+}
+
+
+static void
+tls_server_testharness_ocsp_fiddle(void)
+{
+extern char ** environ;
+if (environ) for (uschar ** p = USS environ; *p; p++)
+  if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
+    {
+    DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
+    exim_testharness_disable_ocsp_validity_check = TRUE;
+    }
+}
+
 /*************************************************
 *       Variables re-expanded post-SNI           *
 *************************************************/
@@ -1002,12 +1083,13 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)
       else
        {
        int gnutls_cert_index = -rc;
-       DEBUG(D_tls) debug_printf("TLS: cert/key %s registered\n", cfile);
+       DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n", gnutls_cert_index, cfile);
 
        /* Set the OCSP stapling server info */
 
 #ifndef DISABLE_OCSP
        if (tls_ocsp_file)
+         {
          if (gnutls_buggy_ocsp)
            {
            DEBUG(D_tls)
@@ -1015,37 +1097,45 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)
            }
          else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
            {
-           /* Use the full callback method for stapling just to get
-           observability.  More efficient would be to read the file once only,
-           if it never changed (due to SNI). Would need restart on file update,
-           or watch datestamp.  */
+           DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile);
 
 # ifdef SUPPORT_SRV_OCSP_STACK
-           if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
-                       state->x509_cred, gnutls_cert_index,
-                       server_ocsp_stapling_cb, ofile)))
-             return tls_error_gnu(
-                     US"gnutls_certificate_set_ocsp_status_request_function2",
-                     rc, host, errstr);
-# else
-           if (cnt++ > 0)
+           if (f.running_in_test_harness) tls_server_testharness_ocsp_fiddle();
+
+           if (!exim_testharness_disable_ocsp_validity_check)
              {
-             DEBUG(D_tls)
-               debug_printf("oops; multiple OCSP files not supported\n");
-             break;
+             if  ((rc = gnutls_certificate_set_ocsp_status_request_file2(
+                         state->x509_cred, CCS ofile, gnutls_cert_index,
+                         GNUTLS_X509_FMT_DER)) < 0)
+               return tls_error_gnu(
+                       US"gnutls_certificate_set_ocsp_status_request_file2",
+                       rc, host, errstr);
+
+             /* Arrange callbacks for OCSP request observability */
+
+             gnutls_handshake_set_hook_function(state->session,
+               GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
              }
-             gnutls_certificate_set_ocsp_status_request_function(
-               state->x509_cred, server_ocsp_stapling_cb, ofile);
+           else
 # endif
-
-           DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile);
+             {
+             if (cnt++ > 0)
+               {
+               DEBUG(D_tls)
+                 debug_printf("oops; multiple OCSP files not supported\n");
+               break;
+               }
+               gnutls_certificate_set_ocsp_status_request_function(
+                 state->x509_cred, server_ocsp_stapling_cb, ofile);
+             }
            }
          else
            DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
 #endif
+         }
        }
     }
-  else
+  else /* client */
     {
     if (0 < (rc = tls_add_certfile(state, host,
                state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
@@ -1983,7 +2073,7 @@ return 0;
 
 
 
-#ifndef DISABLE_OCSP
+#if !defined(DISABLE_OCSP)
 
 static int
 server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
@@ -2133,7 +2223,7 @@ if (verify_check_host(&tls_resumption_hosts) == OK)
 
   /* Try to tell if we see a ticket request */
   gnutls_handshake_set_hook_function(state->session,
-    GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_server_ticket_cb);
+    GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
   }
 }
 
index 541c45a..dc87291 100644 (file)
@@ -1312,7 +1312,8 @@ if (!OCSP_check_validity(thisupd, nextupd, EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX
   }
 
 supply_response:
-  cbinfo->u_ocsp.server.response = resp;       /*XXX stack?*/
+  /*XXX stack? (these tag points are for multiple leaf-cert support for ocsp */
+  cbinfo->u_ocsp.server.response = resp;
 return;
 
 bad:
index 5803c3c..01fa455 100644 (file)
@@ -3,10 +3,21 @@
 
 SERVER =
 
-.include DIR/aux-var/tls_conf_prefix
-
+exim_path = EXIM_PATH
+keep_environment  = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$
+host_lookup_order = bydns
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+chunking_advertise_hosts =
 primary_hostname = server1.example.com
 
+.ifdef _HAVE_DMARC
+dmarc_tld_file =
+.endif
+
+
 # ----- Main settings -----
 
 domainlist local_domains = test.ex : *.test.ex
diff --git a/test/confs/5653 b/test/confs/5653
new file mode 100644 (file)
index 0000000..5b29f5b
--- /dev/null
@@ -0,0 +1,84 @@
+# Exim test configuration 5652
+# OCSP stapling, server, multiple certs
+
+.include DIR/aux-var/tls_conf_prefix
+
+primary_hostname = server1.example.com
+
+# ----- Main settings -----
+
+acl_smtp_mail = check_mail
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+CADIR = DIR/aux-fixed/exim-ca
+DRSA = CADIR/example.com
+DECDSA = CADIR/example_ec.com
+
+tls_certificate = DRSA/server1.example.com/server1.example.com.pem \
+             : DECDSA/server1.example_ec.com/server1.example_ec.com.pem
+tls_privatekey =  DRSA/server1.example.com/server1.example.com.unlocked.key \
+             : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key
+tls_ocsp_file =   DRSA/server1.example.com/server1.example.com.ocsp.good.resp \
+             : DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp
+
+
+tls_require_ciphers = NORMAL:!VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.0
+
+# ------ ACL ------
+
+begin acl
+
+check_mail:
+  accept   logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
+    (${listextract {${eval:$tls_in_ocsp+1}} \
+               {notreq:notresp:vfynotdone:failed:verified}})
+
+check_recipient:
+  accept
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+  driver = manualroute
+  condition = ${if !eq {SERVER}{server}}
+  route_list = * 127.0.0.1
+  self = send
+  transport = remote_delivery
+  errors_to = ""
+
+srvr:
+  driver = accept
+  retry_use_local_part
+  transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+remote_delivery:
+  driver =                     smtp
+  port =                       PORT_D
+  hosts_require_tls =          *
+  tls_require_ciphers =                OPT
+  hosts_require_ocsp =         *
+  tls_verify_certificates =    CERT
+  tls_verify_cert_hostnames =  :
+
+local_delivery:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+  user = CALLER
+
+# End
index 625dece..2b32008 100644 (file)
@@ -3,9 +3,20 @@
 
 SERVER =
 
-.include DIR/aux-var/tls_conf_prefix
+exim_path = EXIM_PATH
+keep_environment  = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$
+host_lookup_order = bydns
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+chunking_advertise_hosts =
 
 primary_hostname = server1.example.com
+.ifdef _HAVE_DMARC
+dmarc_tld_file =
+.endif
 
 
 # ----- Main settings -----
index 75428e2..7f46ba1 100644 (file)
@@ -6,12 +6,12 @@
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
-1999-03-02 09:44:33 acl_mail: ocsp in status: 2 (vfynotdone)
+1999-03-02 09:44:33 acl_mail: ocsp in status: 1 (notresp)
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
-1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated.
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_certificate_set_ocsp_status_request_file2): The session or certificate has expired.
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
-1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): The TLS connection was non-properly terminated.
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_certificate_set_ocsp_status_request_file2): The session or certificate has expired.
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 acl_conn: ocsp in status: 0 (notreq)
index 4803444..cf31aa3 100644 (file)
@@ -9,8 +9,8 @@
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 acl_mail: ocsp in status: 2 (vfynotdone)
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 acl_mail: ocsp in status: 2 (vfynotdone)
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
diff --git a/test/log/5653 b/test/log/5653
new file mode 100644 (file)
index 0000000..82d2e7a
--- /dev/null
@@ -0,0 +1,9 @@
+1999-03-02 09:44:33 1: Server sends good staple on request, to client requiring RSA auth
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
index 324e5a4..5ffb9cc 100644 (file)
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       2
+1999-03-02 09:44:33 ocsp       4
 1999-03-02 09:44:33 cipher     TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@myhost.test.ex for getticket@test.ex
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       0
+1999-03-02 09:44:33 ocsp       1
 1999-03-02 09:44:33 cipher     TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for resume@test.ex xyz@test.ex
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       2
+1999-03-02 09:44:33 ocsp       4
 1999-03-02 09:44:33 cipher     TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for abcd@test.ex
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       0
+1999-03-02 09:44:33 ocsp       1
 1999-03-02 09:44:33 cipher     TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbC-0005vi-00@myhost.test.ex for renewal@test.ex
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       0
+1999-03-02 09:44:33 ocsp       1
 1999-03-02 09:44:33 cipher     TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbE-0005vi-00@myhost.test.ex for postrenewal@test.ex
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       2
+1999-03-02 09:44:33 ocsp       4
 1999-03-02 09:44:33 cipher     TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbG-0005vi-00@myhost.test.ex for timeout@test.ex
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       2
+1999-03-02 09:44:33 ocsp       4
 1999-03-02 09:44:33 cipher     TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbI-0005vi-00@myhost.test.ex for notreq@test.ex
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       2
+1999-03-02 09:44:33 ocsp       4
 1999-03-02 09:44:33 cipher     TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbK-0005vi-00@myhost.test.ex for noverify_getticket@test.ex
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       0
+1999-03-02 09:44:33 ocsp       1
 1999-03-02 09:44:33 cipher     TLS1.x:ke--AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmbN-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbM-0005vi-00@myhost.test.ex for noverify_resume@test.ex
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       2
+1999-03-02 09:44:33 ocsp       1
 1999-03-02 09:44:33 cipher     TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmbP-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbO-0005vi-00@myhost.test.ex for getticket@test.ex
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       0
+1999-03-02 09:44:33 ocsp       1
 1999-03-02 09:44:33 cipher     TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmbR-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbQ-0005vi-00@myhost.test.ex for resume@test.ex xyz@test.ex
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       2
+1999-03-02 09:44:33 ocsp       1
 1999-03-02 09:44:33 cipher     TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmbS-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbQ-0005vi-00@myhost.test.ex for abcd@test.ex
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       0
+1999-03-02 09:44:33 ocsp       1
 1999-03-02 09:44:33 cipher     TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmbU-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbT-0005vi-00@myhost.test.ex for renewal@test.ex
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       0
+1999-03-02 09:44:33 ocsp       1
 1999-03-02 09:44:33 cipher     TLS1.x:ke-PSK-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmbW-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbV-0005vi-00@myhost.test.ex for postrenewal@test.ex
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       2
+1999-03-02 09:44:33 ocsp       1
 1999-03-02 09:44:33 cipher     TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmbY-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbX-0005vi-00@myhost.test.ex for timeout@test.ex
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0
 1999-03-02 09:44:33 peer dn    
-1999-03-02 09:44:33 ocsp       2
+1999-03-02 09:44:33 ocsp       1
 1999-03-02 09:44:33 cipher     TLS1.x:ke-RSA-AES256-SHAnnn:xxx
 1999-03-02 09:44:33 bits       256
 1999-03-02 09:44:33 10HmcA-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for notreq@test.ex
index 78c0afd..99aaa0b 100644 (file)
@@ -38,8 +38,6 @@ exim -z '2: Server does not staple an outdated response'
 exim -bd -oX PORT_D -DSERVER=server \
  -DOPTION=DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.dated.resp
 ****
-# XXX test sequence might not be quite right; this is for a server refusal
-# and we're expecting a client refusal.
 client-gnutls -ocsp aux-fixed/exim-ca/expired1.example.com/CA.pem HOSTIPV4 PORT_D aux-fixed/cert2 aux-fixed/cert2
 ??? 220
 ehlo rhu.barb
@@ -50,7 +48,7 @@ ehlo rhu.barb
 ??? 250-
 ??? 250
 starttls
-??? 220
+??? 454
 ****
 killdaemon
 #
@@ -76,7 +74,7 @@ ehlo rhu.barb
 ??? 250-
 ??? 250
 starttls
-??? 220
+??? 454
 ****
 killdaemon
 #
index 4a33ea8..9130f65 100644 (file)
@@ -1,4 +1,4 @@
-# OCSP stapling, server, multiple certs
+# OCSP stapling, server, multiple leaf certs
 #
 #
 #
diff --git a/test/scripts/5650-OCSP-GnuTLS/5653 b/test/scripts/5650-OCSP-GnuTLS/5653
new file mode 100644 (file)
index 0000000..55cea8b
--- /dev/null
@@ -0,0 +1,23 @@
+# OCSP stapling, server, multiple chain-element OCSP
+#
+#
+#
+exim -z '1: Server sends good staple on request, to client requiring RSA auth'
+****
+#
+exim -d+all -bd -oX PORT_D -DSERVER=server
+****
+exim -odf \
+  -DOPT=NONE:+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA:+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 \
+  -DCERT=DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem \
+  rsa.auth@test.ex
+Subject: test
+
+.
+****
+killdaemon
+#
+#
+#
+#
+no_msglog_check
index 7b5628c..8a72c0f 100644 (file)
@@ -49,10 +49,9 @@ Key file = aux-fixed/cert2
 ??? 250
 <<< 250 HELP
 >>> starttls
-??? 220
-<<< 220 TLS go ahead
-Attempting to start TLS
-Bad certificate
+??? 454
+<<< 454 TLS currently unavailable
+Abandoning TLS start attempt
 End of script
 Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
 Certificate file = aux-fixed/cert2
@@ -73,10 +72,9 @@ Key file = aux-fixed/cert2
 ??? 250
 <<< 250 HELP
 >>> starttls
-??? 220
-<<< 220 TLS go ahead
-Attempting to start TLS
-Bad certificate
+??? 454
+<<< 454 TLS currently unavailable
+Abandoning TLS start attempt
 End of script
 Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
 Certificate file = aux-fixed/cert2